Mad Maxx
Supreme [H]ardness
- Joined
- Apr 12, 2016
- Messages
- 7,322
I've been trying to read up on this. Can't decide if it's something I should do. Thoughts?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Two-factor authentication
- Thread starter Mad Maxx
- Start date
2FA is good and more secure, sure.
Talking about Google accounts, I wouldn't have moved to 2FA there few months ago (yeah, using Google Authenticator app as primary code generator) if there weren't the ten backup codes. 2 reasons:
1. Even when I wasn't using 2FA, and trying using my account on other computers, Google was asking to approve my access through my phone (just because I'm signed in on my phone) through system notification (and not some Authenticator).
2. Without backup codes I could lose my phone AND lose access to my home computer (or being somewhere abroad or far from it) - then I wouldn't have access to my account forever (probably). Unacceptable!
#1 wasn't acceptable anymore. It was almost the same as #2.
#2 is just as unacceptable for if/when I lose my phone AND lose access to the computer that I checked to login without enetring 2FA code.
With backup codes stored securely in a password manager whose DB file is backed up to many places, I can sleep calm I wouldn't lose access to my account. But pure 2FA where I need the phone/second_device to login and this device could be lost... no thanks!
Talking about Google accounts, I wouldn't have moved to 2FA there few months ago (yeah, using Google Authenticator app as primary code generator) if there weren't the ten backup codes. 2 reasons:
1. Even when I wasn't using 2FA, and trying using my account on other computers, Google was asking to approve my access through my phone (just because I'm signed in on my phone) through system notification (and not some Authenticator).
2. Without backup codes I could lose my phone AND lose access to my home computer (or being somewhere abroad or far from it) - then I wouldn't have access to my account forever (probably). Unacceptable!
#1 wasn't acceptable anymore. It was almost the same as #2.
#2 is just as unacceptable for if/when I lose my phone AND lose access to the computer that I checked to login without enetring 2FA code.
With backup codes stored securely in a password manager whose DB file is backed up to many places, I can sleep calm I wouldn't lose access to my account. But pure 2FA where I need the phone/second_device to login and this device could be lost... no thanks!
Machupo
Gravity Tester
- Joined
- Nov 14, 2004
- Messages
- 5,759
Seriously, moflappy?
Do that shit.
Don't send it SMS, do it hardware.
But do it.
Do that shit.
Don't send it SMS, do it hardware.
But do it.
Mad Maxx
Supreme [H]ardness
- Joined
- Apr 12, 2016
- Messages
- 7,322
Yubico USB-C key ordered! 
marshac
American Hero
- Joined
- Mar 25, 2003
- Messages
- 2,551
Yubico USB-C key ordered!
Get another regular one as a backup.
Machupo
Gravity Tester
- Joined
- Nov 14, 2004
- Messages
- 5,759
You can load up to 5 into lastpass, IIRC. I keep one live and another in the fam's go bag.
I have 2FA on my Google Account. My phone died.
It was no hassle to get it setup again on a new phone. No panic needed. Took a couple of minutes.
The one 2FA that was a pain to get sorted after my phone died was Steam. Had to send them a pic of my Fallout 4 game code to prove it was me.
How did you get your new phone signed in with your account when you had your 2FA activated, without entering a code? This is the meaning of these 2FA codes in the first place, no matter if I try to log in using a PC or a phone.
The only explanations is you already had your (home) PC already "whitelisted" where you could approve your new phone to use the account.
The only explanations is you already had your (home) PC already "whitelisted" where you could approve your new phone to use the account.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
Yubico USB-C key ordered!
Good choice.
Just a small warning though on the Yubico, I would create a VM and test the configuration on that first. Configuring it incorrectly can cause you some issues, but luckily there is a bit of information out there now on how to configure it for most of the popular stuff out there.
EDIT: Also, make sure to look into all the different ways you can configure and use the Yubico. It has a lot of options on things you can do. The company is technically a hardware company, they are most interesting in providing the most versatile platform they can. I have talked quite a bit with some of their engineers on various interesting applications for their product.
So i am reading up on these Yubico devices, and I am trying to see if they could be used for TACACS like Cisco, Juniper etc. So far I cant seem to find anything on their site about it or from searching either. Has anyone done this with them yet and can provide a little insight?
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
Most current implementations for accessing Cisco and Juniper boxes typically involve authentication to a jump box and then logging into the network devices from there. There is some information on using 2FA with CISCO ISE. In the case of Yubikey, you would most likely set it up to act as a smartcard or OTP. You can get information on how to do that from Yubikey, how you then integrate it with Cisco would be on you and Cisco. Unless of course you hire Yubikey to consult and/or do the integration for you. They do provide that services as well.
What is the purpose of your implementation, is this for a company?
Just looking at two factor authentication for tacacs in a mixed environment. I have read the cisco items and they seem straight forward enough but cant find much on Juniper. would like to keep as vendor neutral as possible so regardless of gear installed could be used. Youbikey seems to have lots of instructions on how to set up their stuff on a variety or vendors but nothing that i could see about using tacacs.
You made me think a little more if this was going to be used like a smart card then shouldn't they expire at some point like a certificate or are they perpetually valid?
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
So just to give a clue on how this generally works in mixed CISCO/Juniper environments I have been in, we use an AD for accounts matched with a Radius server that manages tokens. The users login through a portal where they have to provide 2FA, and then from there they can ssh into the network appliances using their AD account credentials.
EDIT: Forgot about the second part in your question here. As for the smart cards, that really depends on how you want to implement it, but yes part of certificate management is expiration. That is generally why people use AD with a CA.
Remember the Yubikey is mainly just hardware, what they are doing is providing that hardware with a lot of different tools and options on how it can be used. I was developing an interesting workflow with Yubico where the Yubikey provided not only smart card credentials, but also housed configuration information and encryption. The point being that in order to operate special devices and get them connected on a network, they would need the Yubikey to get the correct configuration, but in order to unlock the configuration, the user would need to authenticate using their credentials, and then after the configuration was done, it would use the yubikey as part of its encryption method to encrypt communications from the device.
EDIT 2: Also, just want to say, there are other key types out there, I suggest Yubikey because I have worked with them and know it can do a lot of different things. But most of these require you to create the implementation for how you want to use them. There are other easier turnkey solutions out there you can use if that would speed up the process for you or be better for your situation.
Last edited:
First thank you for the detailed response. So really using radius versus tacacs, I can see that working. Never used radius for that just dot1x items. I will have to look a little more into it. again thank you for the response. Also i guess i never really answered your question but my purpose would be to move away from username/passwords for this access at my employment. With Cisco they seem to have lots of documentation and forum posts about this, other vendors not near as much that i can find yet. I am still researching all options and probably will be a while until i recommend solutions and start planning of it, but i kinda like the idea of yubikey.
NoOther
Supreme [H]ardness
- Joined
- May 14, 2008
- Messages
- 6,468
To be clear it is using Radius with TACACS. You are merely relying on the Radius for the authentication piece before it goes to the TACACS system. If you want to see a bit more on how to do this, this site seems to have some good examples helping to explain.
So the reason I ask that, if this is specifically for a solution with your company, Yubico does offer engineering support to help you build that implementation. They started up a whole group specifically for this purpose, it might be worth it if you want to go down that route to contact them and ask about it. I am not sure what they charge for that service though, it was part of the contract with enterprise services at my last location.